abi <abi/4.0>,

include <tunables/global>

@{ERLANG_BASE_DIR}     = /usr/lib{64,}/erlang
@{EJABBERD_BASE_DIR}   = /usr/lib{64,}/ejabberd
@{EJABBERD_CONFIG_DIR} = /etc/ejabberd
@{EJABBERD_DATA_DIR}   = /var/lib/ejabberd
@{EJABBERD_LOCK_DIR}   = /{var,run}/lock/ejabberdctl
@{EJABBERD_LOG_DIR}    = /var/log/ejabberd

profile ejabberd /usr/sbin/ejabberdctl {
  include <abstractions/base>
  include <abstractions/bash>
  include <abstractions/consoles>
  include <abstractions/nameservice>

  /{,usr/}bin/cat      px -> ejabberd//simple_shell_tool,
  /{,usr/}bin/date     px -> ejabberd//simple_shell_tool,
  /{,usr/}bin/expr     px -> ejabberd//simple_shell_tool,
  /{,usr/}bin/flock    px -> ejabberd//flock,
  /{,usr/}bin/pgrep    px -> ejabberd//pgrep,
  /{,usr/}bin/grep     px -> ejabberd//simple_shell_tool,
  /{,usr/}bin/id       px -> ejabberd//simple_shell_tool,
  /{,usr/}bin/sed      px -> ejabberd//ejabberdctl_sed,
  /{,usr/}bin/seq      px -> ejabberd//simple_shell_tool,
  /{,usr/}bin/sleep    px -> ejabberd//simple_shell_tool,
  /{,usr/}bin/uuidgen  px -> ejabberd//simple_shell_tool,

  @{ERLANG_BASE_DIR}/erts-*/bin/epmd px,

  /{,usr}/bin/bash ix,
  /{,usr}/bin/sh ix,

  /usr/sbin/ejabberdctl r,
  @{EJABBERD_CONFIG_DIR}/ejabberdctl.cfg r,
  @{EJABBERD_DATA_DIR}/ r,
  @{EJABBERD_DATA_DIR}/.erlang.cookie r,
  @{EJABBERD_LOCK_DIR}/ r,
  @{EJABBERD_LOCK_DIR}/ejabberdctl* rwkl,

  /usr/bin/erl cx -> erl,
  @{ERLANG_BASE_DIR}/bin/erl cx -> erl,
  /proc/sys/kernel/random/uuid r,

  profile flock {
    include <abstractions/base>
    /{,usr/}bin/flock  rmix,
    @{EJABBERD_LOCK_DIR}/ r,
    @{EJABBERD_LOCK_DIR}/ejabberdctl* rwkl,
  }
  profile pgrep {
    include <abstractions/base>
    /{,usr/}bin/pgrep    rm,
    /proc/ r,
    /proc/*/cmdline r,
    /proc/sys/kernel/osrelease r,
  }

  profile simple_shell_tool {
    include <abstractions/base>
    include <abstractions/nameservice>

    /{,usr/}bin/cat      rm,
    /{,usr/}bin/date     rm,
    /{,usr/}bin/expr     rm,
    /{,usr/}bin/grep     rm,
    /{,usr/}bin/id       rm,
    /{,usr/}bin/sed      rm,
    /{,usr/}bin/seq      rm,
    /{,usr/}bin/sleep    rm,
    /{,usr/}bin/uuidgen  rm,

    /proc/sys/kernel/random/uuid r,
  }

  profile ejabberdctl_sed {
    include <abstractions/base>
    /{,usr/}bin/sed    rm,
    @{EJABBERD_CONFIG_DIR}/ejabberd.yml r,
  }


  profile erl {
    include <abstractions/base>
    include <abstractions/bash>
    include <abstractions/consoles>
    include <abstractions/nameservice>

    /{,usr}/bin/bash rmix,
    /{,usr}/bin/sh   rmix,
    /{,usr/}bin/sed    px -> ejabberd//simple_shell_tool,
    /{,usr/}bin/date   px -> ejabberd//simple_shell_tool,

    /usr/bin/erl r,
    @{ERLANG_BASE_DIR}/bin/erl r,

    @{ERLANG_BASE_DIR}/erts-*/bin/erlexec px -> ejabberd//erlexec,
  }
  profile erlexec {
    include <abstractions/base>
    include <abstractions/bash>
    include <abstractions/consoles>
    include <abstractions/nameservice>
    include <abstractions/erlang>

    /{,usr}/bin/bash ix,
    @{ERLANG_BASE_DIR}/erts-*/bin/erlexec rm,

    @{ERLANG_BASE_DIR}/erts-*/bin/beam.smp     px -> ejabberd//beam_smp,
    @{ERLANG_BASE_DIR}/erts-*/bin/erl_child_setup  px -> ejabberd//erl_child_setup,
    @{ERLANG_BASE_DIR}/erts-*/bin/epmd         px,
  }

  profile inet_gethost {
    include <abstractions/base>
    include <abstractions/bash>
    include <abstractions/consoles>
    include <abstractions/nameservice>
    include <abstractions/erlang>

    @{ERLANG_BASE_DIR}/erts-*/bin/inet_gethost rm,
  }

  profile erl_child_setup {
    include <abstractions/base>
    include <abstractions/bash>
    include <abstractions/consoles>
    include <abstractions/nameservice>
    include <abstractions/erlang>

    /{,usr}/bin/bash ix,
    @{ERLANG_BASE_DIR}/erts-*/bin/erl_child_setup rm,

    /proc/@{pid}/fd/ r,

    @{ERLANG_BASE_DIR}/erts-*/bin/inet_gethost  px -> ejabberd//inet_gethost,
    @{ERLANG_BASE_DIR}/lib/eimp-*/priv/bin/eimp px -> ejabberd//eimp,
    @{ERLANG_BASE_DIR}/lib/os_mon-*/priv/bin/memsup px -> ejabberd//memsup,

    /usr/bin/inotifywait px -> ejabberd//inotify_wait,
    /usr/bin/df px -> ejabberd//df,
  }

  profile inotify_wait {
    include <abstractions/base>
    include <abstractions/bash>

    /usr/bin/inotifywait rm,

   include if exists <local/ejabberd-inotify-wait>
  }

  profile memsup {
    include <abstractions/base>
    include <abstractions/bash>

    @{ERLANG_BASE_DIR}/lib/os_mon-*/priv/bin/memsup rmix,
  }

  profile df {
    include <abstractions/base>
    include <abstractions/bash>

    /usr/bin/df rmix,
    /proc/*/mountinfo r,
  }

  profile eimp {
    include <abstractions/base>
    include <abstractions/bash>
    include <abstractions/consoles>
    include <abstractions/nameservice>
    include <abstractions/erlang>

    @{ERLANG_BASE_DIR}/lib/eimp-*/priv/bin/eimp rm,
  }


  profile beam_smp {
    include <abstractions/base>
    include <abstractions/bash>
    include <abstractions/consoles>
    include <abstractions/nameservice>
    include <abstractions/erlang>
    include <abstractions/openssl>

    network inet  stream,
    network inet6 stream,
    capability net_bind_service,

    /proc/@{pid}/mountinfo r,
    /sys/fs/cgroup/cgroup.controllers r,

    @{ERLANG_BASE_DIR}/erts-*/bin/beam.smp rm,
    @{ERLANG_BASE_DIR}/erts-*/bin/erl_child_setup  px -> ejabberd//erl_child_setup,

    @{EJABBERD_CONFIG_DIR}/* r,

    # seems to be because we pass --libdir=%{_libdir}
    /usr/lib{64,}/                 r,
    @{EJABBERD_BASE_DIR}/**      r,
    @{EJABBERD_BASE_DIR}/**/*.so rm,


    @{EJABBERD_DATA_DIR}/       rw,
    @{EJABBERD_DATA_DIR}/**     rw,

    @{EJABBERD_LOG_DIR}/**      rwlk,

   include if exists <local/ejabberd-beam-smp>
  }
}
